Bug 1384334

Summary: On an SSL enabled overcloud the Neutron api returns http URL
Product: Red Hat OpenStack Reporter: Marius Cornea <mcornea>
Component: openstack-neutronAssignee: John Schwarz <jschwarz>
Status: CLOSED ERRATA QA Contact: Marius Cornea <mcornea>
Severity: high Docs Contact:
Priority: high    
Version: 10.0 (Newton)CC: amuller, chrisw, ddomingo, ihrachys, jschluet, jschwarz, mburns, mcornea, nkinder, nyechiel, oblaut, rhos-flags, srevivo
Target Milestone: rcKeywords: Triaged
Target Release: 10.0 (Newton)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-neutron-9.0.0-1.7.el7ost Doc Type: Bug Fix
Doc Text:
This release adds a HTTPProxyToWSGI middleware in front of the OpenStack Networking API to set up a request URL correctly in case a proxy (eg. HAProxy) is used between the client and server. This ensures that when a client uses SSL, the server recognizes this and responds using the correct protocol. Previously, using a proxy made it possible for the server to respond with HTTP (instead of HTTPS) even when a client used SSL.
Story Points: ---
Clone Of:
: 1384340 (view as bug list) Environment:
Last Closed: 2016-12-14 16:18:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1384340    

Description Marius Cornea 2016-10-13 06:54:01 UTC
Description of problem:
On an SSL enabled overcloud the Neutron api returns http URL

openstack catalog show neutron
+-----------+------------------------------------------------------+
| Field     | Value                                                |
+-----------+------------------------------------------------------+
| endpoints | regionOne                                            |
|           |   publicURL: https://[2001:db8:ca2:4::10]:13696      |
|           |   internalURL: http://[fd00:fd00:fd00:2000::14]:9696 |
|           |   adminURL: http://[fd00:fd00:fd00:2000::14]:9696    |
|           |                                                      |
| name      | neutron                                              |
| type      | network                                              |
+-----------+------------------------------------------------------+

curl -s -H "X-Auth-Token: $OS_TOKEN" https://172.16.18.25:13042  | python -m json.tool

{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "http://[2001:db8:ca2:4::10]:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}


Version-Release number of selected component (if applicable):
openstack-neutron-9.0.0-0.20160929051647.71f2d2b.el7ost.noarch

Comment 3 Marius Cornea 2016-11-28 16:01:00 UTC
Testing fails with the current build. I believe in order to be able to verify this we also need a fix for BZ#1384340 which is still in NEW state. 

curl -s -H "X-Auth-Token: $OS_TOKEN" https://172.16.18.25:13696 | python -m json.tool
{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "http://172.16.18.25:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}

Comment 4 Ihar Hrachyshka 2016-11-28 16:16:18 UTC
Marius, do you have a specific puppet patch on your mind?

Comment 5 Marius Cornea 2016-11-28 16:29:59 UTC
(In reply to Ihar Hrachyshka from comment #4)
> Marius, do you have a specific puppet patch on your mind?

Yes, it looks that this one fixes addresses the issue:
https://review.openstack.org/#/c/400591/

Comment 6 John Schwarz 2016-11-28 16:33:02 UTC
Marius, puppet-tripleo doesn't have a patches branch. In other words, patches are automatically synced from upstream. Putting a needinfo on Mike Burns who I hear deals with the syncs.

Comment 7 Marius Cornea 2016-11-29 11:53:32 UTC
This has landed in the latest build and canbe verified:

{
    "versions": [
        {
            "id": "v2.0",
            "links": [
                {
                    "href": "https://172.16.18.25:13696/v2.0",
                    "rel": "self"
                }
            ],
            "status": "CURRENT"
        }
    ]
}

Comment 10 errata-xmlrpc 2016-12-14 16:18:25 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2948.html